search

p4gefau1t / trojan-go

Go实现的Trojan代理,支持多路复用/路由功能/CDN中转/Shadowsocks混淆插件,多平台,无依赖。A Trojan proxy written in Go. An unidentifiable mechanism that helps you bypass GFW. https://p4gefau1t.github.io/trojan-go/
GNU General Public License v3.0
7.78k stars 1.68k forks source link

开启cloudflare代理后,间歇性出现“failed to read hash”错误 #455

Open sleepwalkera opened 2 years ago

sleepwalkera commented 2 years ago

简单描述这个 Bug

通过cloudflare代理后,服务端间歇性出现connection with invalid trojan header from xxx:xxx | failed to read hash | EOF连接错误,客户端对应出现proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to handshake with remote server | read tcp xxx:xxx->xxx:xxx: read: connection reset by peer错误。无法正常工作,过一段时间又自行恢复。

如何复现这个 Bug

开启cloudflare代理后,间歇性出现该错误,关闭cloudflare代理,直连服务端后,不再出现该问题。

服务器和客户端环境信息

服务器为Linux 5.10.0-15 amd64,docker镜像为teddysun/trojan-go 0.10.6 客户端为ubuntu 22.04 lts,docker镜像同上 cloudflare的SSL/TLS 加密模式已设置为“完全”

服务端和客户端日志

服务端日志

[INFO]  2022/06/25 15:40:03 tcp connection from 172.70.214.110:28542
[INFO]  2022/06/25 15:40:03 tls connection from 172.70.214.110:28542
[TRACE] 2022/06/25 15:40:03 tls handshake TLS_AES_128_GCM_SHA256 false 
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).acceptLoop.func1:server.go:172 http req:  &{GET /my_ws_path/ HTTP/1.1 1 1 map[Accept-Encoding:[gzip] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[my_real_ip] Cf-Ipcountry:[CN] Cf-Ray:[720c0d883b427cda-LAX] Cf-Visitor:[{"scheme":"https"}] Connection:[Upgrade] Origin:[https://my_site] Sec-Websocket-Key:[ZXpMXeo6QeFERIsnGrUH5Q==] Sec-Websocket-Version:[13] Upgrade:[websocket] X-Forwarded-For:[my_real_ip] X-Forwarded-Proto:[https]] {} <nil> 0 [] false my_site map[] map[] <nil> map[]  /my_ws_path/ <nil> <nil> <nil> <nil>}
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func2:server.go:115 websocket url /my_ws_path/ origin https://my_site
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func1:server.go:107 websocket obtained
[DEBUG] 2022/06/25 15:40:03 github.com/p4gefau1t/trojan-go/tunnel/tls.(*Server).AcceptConn:server.go:184 next proto http
[WARN]  2022/06/25 15:41:43 connection with invalid trojan header from 172.70.214.110:28542 | failed to read hash | EOF
[DEBUG] 2022/06/25 15:41:43 github.com/p4gefau1t/trojan-go/redirector.(*Redirector).Redirect:redirector.go:33 redirect request
[WARN]  2022/06/25 15:41:43 redirecting connection from 172.70.214.110:28542 to caddy:80
[INFO]  2022/06/25 15:41:43 redirection done
[DEBUG] 2022/06/25 15:41:43 github.com/p4gefau1t/trojan-go/tunnel/websocket.(*Server).AcceptConn.func1:server.go:112 websocket closed

客户端日志

[ERROR] 2022/06/25 15:48:18 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket failed to handshake with server | unexpected EOF
[DEBUG] 2022/06/25 15:48:18 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO]  2022/06/25 15:48:18 socks connection from 172.17.0.1:47656 metadata www.google.com:443
[DEBUG] 2022/06/25 15:48:29 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO]  2022/06/25 15:48:29 socks connection from 172.17.0.1:47658 metadata ogs.google.com:443
[ERROR] 2022/06/25 15:49:01 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to dial conn | transport failed to connect to remote server | freedom failed to dial my_site:443 | dial tcp 104.21.10.67:443: connect: connection timed out
[ERROR] 2022/06/25 15:49:10 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket failed to handshake with server | read tcp 172.17.0.4:33270->172.67.131.66:443: read: connection reset by peer
[DEBUG] 2022/06/25 15:49:41 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:86 conn relay ends
[INFO]  2022/06/25 15:49:41 connection to content-autofill.googleapis.com:443 closed sent: 64 B recv: 4.63 KiB
[DEBUG] 2022/06/25 15:49:41 github.com/p4gefau1t/trojan-go/tunnel/adapter.(*Server).acceptConnLoop:server.go:53 socks5 connection
[INFO]  2022/06/25 15:49:41 socks connection from 172.17.0.1:47660 metadata www.google.com:443
[ERROR] 2022/06/25 15:50:13 github.com/p4gefau1t/trojan-go/proxy.(*Proxy).relayConnLoop.func1.1:proxy.go:66 proxy failed to dial connection | websocket cannot dial with underlying client | tls failed to handshake with remote server | read tcp 172.17.0.4:43748->104.21.10.67:443: read: connection reset by peer

服务端和客户端配置文件

服务端配置

{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "caddy",
    "remote_port": 80,
    "log_level": 0,
    "password": [
        "my_password"
    ],
    "ssl": {
        "cert": "/etc/trojan-go/cert/fullchain1.pem",
        "key": "/etc/trojan-go/cert/privkey1.pem",
    "sni": "my_site"
    }
}

服务端使用letencrypt证书

客户端配置

{
    "run_type": "client",
    "local_addr": "0.0.0.0",
    "local_port": 1080,
    "remote_addr": "my_site",
    "remote_port": 443,
    "log_level": 0,
    "websocket": {
        "enabled": true,
        "path": "/my_ws_path/",
    "double_tls": false,
        "host": "my_site"
    },
    "password": [
        "my_password"
    ],
    "ssl": {
        "sni": "my_site",
    "fingerprint": ""
    }
}

服务端和客户端版本信息

Trojan-Go v0.10.6
Go Version: go1.17.1
OS/Arch: linux/amd64
Git Commit: 2dc60f52e79ff8b910e78e444f1e80678e936450
CXwudi commented 2 years ago

你服务端也要配置websocket, https://p4gefau1t.github.io/trojan-go/advance/websocket/

everwisher commented 2 years ago

我的服务端客户端都配置了WebSocket,还是这个错误,关掉CDN直连正常

CXwudi commented 2 years ago

那确保一下CF的websocket转发启用了

everwisher commented 2 years ago

感谢回复。但是我不知道CF还需要启用WebSocket Proxy?不是直接支持的么?各路教程里貌似也没有提到过……

CXwudi commented 2 years ago

只是生怕你不小心关了或者CF现在新网站默认关了websocket

everwisher commented 2 years ago

只是生怕你不小心关了或者CF现在新网站默认关了CF

哈哈,你让我关我都找不到地方😹

CXwudi commented 2 years ago

以防万一提醒一下,就你最开始post出来的服务端配置就属于没有设置websocket。如果改了还是不行的话就把你新改的配置放上来看看吧

everwisher commented 2 years ago

以防万一提醒一下,就你最开始post出来的服务端配置就属于没有设置websocket。如果改了还是不行的话就把你新改的配置放上来看看吧

谢谢,但其实不是我post的,只是日志里出现了一样的错误提示,所以我跟了个帖子。不过还是感谢你:) 我的客户端是iOS端的ShadowRocket,服务器配置是Nginx监听443,域名4层分流,trojan是p4gefau1t/trojan-go的docker镜像,具体config.json如下:

{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 20001,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "log_level": 0,
    "log_file": "/etc/trojan-go/trojan-go.log",
    "password": [
        “mypassword.com", “mypassword.net"
    ],
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "/tls/fullchain.cer",
        "key": "/tls/mydomain.com.key",
        "sni": "trojan.mydomain.com",
        "fallback_addr": "127.0.0.1",
        "fallback_port": 20001,
        "alpn": [
            "h2",
            "http\/1.1"
        ],
        "reuse_session": true,
        "session_ticket": true,
        "session_timeout": 600,
        "plain_http_response": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "prefer_server_cipher": true,
        "curves": "",
        "dhparam": ""
    },
    "tcp": {
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "prefer_ipv4": false,
        "fast_open": false,
        "fast_open_qlen": 20
    },
    "mysql": {
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": ""
    },
    "websocket": {
        "enabled": true,
        "path": "/fuckccp",
        "hostname": "trojan.mydomain.com",
        "obfuscation_password": "",
        "double_tls": false,
        "ssl": {
          "verify": true,
          "verify_hostname": true,
          "cert": "/tls/fullchain.cer",
          "key": "/tls/mydomain.com.key",
          "key_password": "",
          "prefer_server_cipher": true,
          "sni": "trojan.mydomain.com",
          "session_ticket": true,
          "reuse_session": true,
          "plain_http_response": ""
        }
    }
}
CXwudi commented 2 years ago

好吧我才发现你不是原post主, 而且我用的是nginx7层分流, 也就是http里的分流, 在https://github.com/p4gefau1t/trojan-go/issues/234#issuecomment-946342401 里我介绍过我自己的配置, 不知道对你有没有帮助

DrKenther commented 2 years ago

同样的错误, 一开始用的nginx/sni分发, 后来看了眼文档, 直接关了trajon的tls, 还是统一给nginx处理 配置文件就很常规+简单了

trojan.conf中加入: "transport_plugin": { "enabled": true, "type": "plaintext", "command": "", "option": "", "arg": [], "env": [] },

btw, 我在xray/vless中也是这么干的, tls之类的还是全部统一丢给nginx处理比较好 内核支持可以开启nginx的kTLS, 具体可参见:https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/